[Advanced-java] Sensitive Data -> StringgetParameter(String ) Alternative

Martin Cooper martin.cooper at tumbleweed.com
Fri May 2 19:06:28 2003 


> -----Original Message-----
> From: Nikolaos Giannopoulos [mailto:nikolaos@solmar.ca]
> Sent: Friday, May 02, 2003 9:12 AM
> To: Jukka Sundberg
> Cc: advanced-java@lists.xcf.berkeley.edu
> Subject: RE: [Advanced-java] Sensitive Data -> 
> StringgetParameter(String
> )Alternative
> 
> 

<snip/>

> Earnest Friedman in an offline discussion suggested doing the 
> following:
> 
> > You could call getParameter().toCharArray(), and use the char[]; the
> > String then would be collectible immediately, right?
> 
> Which is probably the best work around for the problem at hand.

I don't believe this will do what you want. When the container parses the
request, it's almost certainly going to build up a map of name/value pairs
for the parameters, one of which will correspond to your credit card number.
Using toCharArray() will ensure that *your* code doesn't have the card
number in a string, but the container will still have it.

I think the only way you can get around this is to use a POST that uses the
multipart/form-data encoding, and then parse the entire request yourself
after calling request.getInputStream().

Actually, the latest version (meaning HEAD in CVS, not yet released) of
Jakarta Commons FileUpload would probably help you a lot with this. It uses
a factory to create each item as it parses the request. You could quite
easily create your own factory that avoids storing the data as a string, and
then rely on FileUpload to do the hard work for you.

It's conceivable that you could get away with parsing a regular POST
yourself, but that would depend entirely on exactly when your container
decides to parse the request. That being the case, it certainly wouldn't be
portable, and I wouldn't recommend this approach.

--
Martin Cooper


> 
> If anyone has any other input or comments please feel free to 
> jump in ;-)
> 
> Thanks,
> 
> --Nikolaos
> 
> 
> _______________________________________________
> Advanced-java mailing list
> Advanced-java@lists.xcf.berkeley.edu
> http://lists.xcf.berkeley.edu/mailman/listinfo/advanced-java
>